AEPD - TD/00325/2019

From GDPRhub
AEPD - TD/00325/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR

Article 15 GDPR

Article 56(2) GDPR

Article 57(1)(f) GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 3.02.2020
Fine: None
Parties: Health Department of Madrid Vs. Anonymous
National Case Number: TD/00325/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD found that a data controller may not require from the data subject to collect the personal data requested himself or on his behalf if it can be sent with appropriate and adequate means instead. Indeed, the data controller was able to identify the data subject and to send the personal data via encrypted email. Therefore, it was not proportionate to answer that the right of access could be exercised only if the data subject has appointed someone to collect his personal data on his behalf instead of sending directly to him, under Articles 12 and 15 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant requested his medical records containing personal data to the University Hospital Puerta de Hierro by e-mail. He asked them to send the documentation by post to his place of residence in Honduras and later, noticed that he wanted the document to be sent in Greece. The hospital answered it would have been impossible to send him the documentation requested to the alleged place of residence, namely in Greece, by post.

Nevertheless, they answered it was only possible that someone collect the documentation on the behalf of the data subject, as it was not possible to verify the data subject’s identity.

Following the data controller’s answer, the complainant filed a complaint with the AEPD, pursuant to Articles 56 and 57(1)(f) GDPR for obstructing his right of access.

Dispute[edit | edit source]

Could the data controller require to the data subject to collect the personal data or to appoint someone to collect them on his behalf?

Holding[edit | edit source]

The AEPD noted that it that the exercise of the followings rights: access, rectification, deletion, limitation, portability and opposition has been refused.

The AEPD pointed out that the data controller could have been easily identified the data subject as he sent a photocopy of his identity card. It also noticed that the data controller could have use an encryption system and send the medical records by e-mail.

Therefore, the AEPD rejected the data controller’s argument and urged the data controller to comply with the data subject’s request within the ten workings following days.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

1/6 File No.: TD/00325/20191037-100919RESOLUTION No.: R/00657/2019Having regard to the complaint filed on 9 May 2019 with this Agency by D.A.A.A., (hereinafter the complaining party), against CONSEJERÍA DE SANIDAD DELA COMUNIDAD DE MADRID - SERVICIO MADRILEÑO DE SALUD, (hereinafter the complaining party), for failure to comply with its right of access.

Once the procedural actions provided for in Title VIII of the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (hereinafter LOPDGDD) have been carried out, the following have been established

FACTS 

FIRST: On April 15, 2019, the claimant exercised his right of access to the claimant with NIF S7800001E, without having received the legally established reply.  The claimant provides various documentation relating to the claim made before this Agency and on the exercise of the right exercised.           

Specifically, he requests access to his medical records by e-mail at the PUERTA DE HIERRO MAJADAHONDA UNIVERSITY HOSPITAL. On May 8, 2019, the respondent replies: "...It is impossible for us to send this documentation by mail.  We could deliver the documentation to some person authorized by you and it would have a period of one month from this date. After this time, if it has not been collected, it will be destroyed...".

SECOND: In accordance with the functions provided for in Regulation (EU)2016/679, of 27 April 2016, General Data Protection Regulation (RGPD), particularly those that respond to the principles of transparency and proactive responsibility on the part of the person responsible for the processing, you have been required to inform this Agency of the actions that have been carried out to deal with the complaint raised. In summary, the following allegations were made:
- The representative/Delegate of Data Protection of the claimant states in the allegations made during the processing of the present procedure: That they cannot send the documentation to Honduras, (place that the claimant had requested because he was residing there).       
That they need to prove the identity of the applicant and, they doubt such identification with the electronic systems used.
 They ask the claimant the possibility that someone, previously authorized, collect the documentation on their behalf and that they have never denied the request for access
- The complainant, who is aware of the allegations, provides new information on Greece.

LEGAL GROUNDS

FIRST: The Director of the Spanish Data Protection Agency is competent to take a decision in accordance with the provisions of Article 56(2) in conjunction with Article 57(1)(f) both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as 'RGPD'); anddin Article 47 of the Organic Law 3/2018 of December 5,,onnPersonal Data Protection anddGuarantee of Digital Rights (hereinafter referred too as LOPDGDD).

SECOND: Article 64.1 of the LOPDGDD, provides the following: "1. When the procedure refers exclusively to the lack of attention to a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will be initiated by an agreement of admission to procedure, which will be adopted in accordance with the provisions of the following article.   Once this period has elapsed, the interested party may consider his claim to have been accepted".

THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016, General Data Protection (GDPS), provides that:
"The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication pursuant to Articles 15 to 22 and 34 relating to the processing, in a clear, transparent, intelligible and easily accessible form, using plain language, in particular any information specifically addressed to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means.   At the request of the person concerned, the information may be provided on a voluntary basis provided that the identity of the person concerned is established by other means.
2.   The controller shall facilitate the exercise of the rights of the data subject by virtue of Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for the purpose of exercising his/her rights pursuant to Articles 15 to 22, unless he/she can prove that he/she is not able to identify the data subject.
3. The controller shall provide the data subject with information concerning his or her actions on the basis of a request pursuant to Articles 15 to 22, and in any event within one month of receipt of the request. The period may be extended by two months if necessary, taking into account the complexity and the number of applications. The person responsible shall inform the applicant of any such extension within one month of receipt of the application, stating the reasons for the delay.  Where the data subject submits the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.
4. If the data controller does not comply with the request of the data subject, he shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for his failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.
5. The information provided under Articles 13 and 14 as well as any communication and any action taken under Articles 15 to 22 and 34 shall be free of charge. (a) charge a reasonable fee related to the administrative costs incurred in providing the information or communication or in performing the requested action; or
6. Without prejudice to Article 11, where the controller has reasonable doubt as to the identity of the natural person making the request referred to in Articles 15 to 21, he or she may request that the controller provide such further information as is necessary to confirm the identity of the data subject.
7. The information to be provided to the data subjects under Articles 13 and 14 may be transmitted in combination with standardised icons which provide an easily visible, intelligible and clearly legible overview of the intended processing. Icons presented in electronic form shall be mechanically legible.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the information to be displayed by means of icons and the procedures for providing standardised icons.

FOURTH: Article 15 of the RGPD provides that:
“1.   The data subject shall have the right to obtain from the data controllerconfirmation as to whether or not personal data concerning him are being processed and, if so, the right of access to the personal data and to the following information:(c) the recipients or categories of recipient to whom the personal data have been disclosed, in particular recipients in third countries or international organisations(e) the existence of the right to request from the controller the rectification or erasure of personal data or the limitation of the processing of personal data relating to the data subject or to object to such processing (h) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information on the logic applied and the relevance and foreseeable consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 concerning the transfer.
3. The controller shall provide a copy of the personal data being processed. The controller may charge a reasonable fee based on administrative costs for any other copies requested by the data subject. Where the request is made by the data subject by electronic means, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format.
4.   The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

FIFTH: Article 13 of the LOPDGDD determines the following:
"The data subject's right of access shall be exercised in accordance with Article 15 of Regulation (EU) 2016/679.Where the controller processes a large amount of data relating to the data subject and the controller exercises his right of access without specifying whether it relates to all or part of the data, the controller may, before providing the information, ask the data subject to specify the data or processing activities to which the request relates.2The right of access shall be deemed to be granted if the controller provides the data subject with a system of remote, direct and secure access to the personal data which guarantees, on a permanent basis, access to all the data. To this end, the communication by the controller to the data subject of the way in which he may access the system shall be sufficient to satisfy the request to exercise the right. However, the data subject may request from the controller information on the points set out in Article 15(1) of Regulation (EU) 2016/679 that is not included in the remote access system.3. For the purposes set out in Article 12(5) of Regulation (EU) 2016/679, the exercise of the right of access may be considered to be repetitive on more than one occasion during the six-month period, unless there is a legitimate reason to do so.4 Where the person concerned chooses a means other than that offered to him/her which entails disproportionate costs, the application shall be considered excessive and the person concerned shall bear the additional costs involved. In this case, only the satisfaction of the right of access to undue syndication shall be demanded of the data controller.

SIXTH: Before going into the substance of the questions raised, it should be noted that the present procedure is being conducted as a result of the refusal of any of the rights regulated by data protection legislation (access, rectification, deletion, limitation, portability and opposition) and aims to ensure that the corresponding measures are adopted so that the guarantees and rights of the affected party are duly restored. Therefore, in the present case, only those issues raised by the claimant that are included within the object of the aforementioned data protection claims procedure will be analysed and assessed.
The complainant requested access to his medical file by e-mail and, although in principle he requests that it be sent by post to Honduras, he later provides another address, this time in Greece. The complainant claims that he cannot send such documentation by mail abroad.
It should be pointed out that the complainant requested access by e-mail by sending a photocopy of his identity card, so he is perfectly identified and there is no doubt that the complainant can prove his identity.
In addition to offering him the option of having a third party collect the documentation on his behalf, the claimant could have considered sending him the documentation by e-mail and using an encryption system to safeguard the content.
What is not contemplated in the data protection regulations is not to attend to the right due to problems that may have a solution. In fact, this Agency is communicating with the complainant through the Notific@ electronic system, which shows the diversity of systems that can be used to exchange information.
In view of the above and other generally applicable provisions, the director of the Spanish Data Protection Agency

RESOLVED:
FIRST: TO ESTIMATE the claim made by Mr. A.A.A.and to urge CONSEJERÍ DE SANIDAD DE LA COMUNIDAD DE MADRID - SERVICIO MADRILEÑO DESALUD with NIF S7800001E, so that, within ten working days following notification of this resolution, it sends the claimant a certificate stating that it has complied with the right of access exercised by the latter, or that it has given reasons for doing so, indicating the reasons why it is not appropriate to deal with the complaint. The actions taken as a result of this Resolution must be communicated to this Agency within the same period of time. Failure to comply with this Resolution may lead to the commission of the infringement considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with article 58.2 of the RGPD.

SECOND: TO NOTIFY THIS RESOLUTION to Mr. A.A.A. and to CONSEJERÍA DESANIDAD DE LA COMUNIDAD DE MADRID - SERVICIO MADRILEÑO DE SALUD.In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative process in accordance with art.48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.

Mar Spain MartíDirector of the Spanish Data Protection Agency